Debian Bug report logs -
#560779
polipo: DoS via overly large "Content-Length" header
Reported by: Raphael Geissert <geissert@debian.org>
Date: Sat, 12 Dec 2009 06:48:01 UTC
Severity: grave
Tags: patch, security
Found in version polipo/0.9.12-1
Fixed in versions polipo/1.0.4-2, polipo/1.0.4-1+lenny1
Done: Stefan Fritsch <sf@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, fechiny@gmail.com (Denis V. Sirotkin)
:
Bug#560779
; Package polipo
.
(Sat, 12 Dec 2009 06:48:04 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
Package: polipo
Version: 0.9.12-1
Severity: grave
Tags: security
Hi,
A vulnerability has been found in polipo that allows a remote attacker to
crash the daemon via an overly large "Content-Length" header.
The vulnerability is caused by connection->reqlen (in client.c:
httpClientDiscardBody()) being a signed integer which can be overflowed
turning it into a negative value which later leads to a segmentation fault in
the call to memmove.
If you fix this vulnerability please include the CVE id in your changelog
entry, when one is assigned. Please work with the security team to fix this
vulnerability in the stable and oldstable releases.
For further information see:
http://www.exploit-db.com/exploits/10338
http://secunia.com/advisories/37607/
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Added tag(s) patch.
Request was from Andreas Kirschbaum <kirschbaum@in-medias-res.com>
to control@bugs.debian.org
.
(Sun, 24 Jan 2010 16:51:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, fechiny@gmail.com (Denis V. Sirotkin)
:
Bug#560779
; Package polipo
.
(Sun, 24 Jan 2010 16:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Kirschbaum <kirschbaum@in-medias-res.com>
:
Extra info received and forwarded to list. Copy sent to fechiny@gmail.com (Denis V. Sirotkin)
.
(Sun, 24 Jan 2010 16:57:07 GMT) (full text, mbox, link).
Message #10 received at 560779@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tag 560779 + patch
thanks
The attached patch includes a commit from the upstream sources that fixes the crash.
[polipo_1.0.4-1.2.diff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, fechiny@gmail.com (Denis V. Sirotkin)
:
Bug#560779
; Package polipo
.
(Mon, 25 Jan 2010 23:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>
:
Extra info received and forwarded to list. Copy sent to fechiny@gmail.com (Denis V. Sirotkin)
.
(Mon, 25 Jan 2010 23:03:03 GMT) (full text, mbox, link).
Message #15 received at 560779@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, Jan 24, 2010 at 17:50:10 +0100, Andreas Kirschbaum wrote:
> tag 560779 + patch
> thanks
>
> The attached patch includes a commit from the upstream sources that fixes the crash.
Hey Andreas,
did this get uploaded at the BSP, or do you need a sponsor for the NMU?
Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Julien Cristau <jcristau@debian.org>
:
You have taken responsibility.
(Wed, 27 Jan 2010 16:12:05 GMT) (full text, mbox, link).
Notification sent
to Raphael Geissert <geissert@debian.org>
:
Bug acknowledged by developer.
(Wed, 27 Jan 2010 16:12:05 GMT) (full text, mbox, link).
Message #20 received at 560779-close@bugs.debian.org (full text, mbox, reply):
Source: polipo
Source-Version: 1.0.4-2
We believe that the bug you reported is fixed in the latest version of
polipo, which is due to be installed in the Debian FTP archive:
polipo_1.0.4-2.diff.gz
to main/p/polipo/polipo_1.0.4-2.diff.gz
polipo_1.0.4-2.dsc
to main/p/polipo/polipo_1.0.4-2.dsc
polipo_1.0.4-2_i386.deb
to main/p/polipo/polipo_1.0.4-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 560779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated polipo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 27 Jan 2010 15:01:52 +0100
Source: polipo
Binary: polipo
Architecture: source i386
Version: 1.0.4-2
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description:
polipo - a small, caching web proxy
Closes: 560779
Changes:
polipo (1.0.4-2) unstable; urgency=high
.
[ Andreas Kirschbaum ]
* Apply upstream commit to fix DoS via overly large "Content-Length"
header; fixes CVE-2009-3305 (closes: #560779)
.
[ Julien Cristau ]
* QA upload.
* Set Maintainer to Debian QA Group (see #566150).
* High urgency for RC bugfix.
Checksums-Sha1:
8aa9d232a4228ccb34d82a5352ed29b426793c45 1665 polipo_1.0.4-2.dsc
20d96b11c32f6cdc7703b52d99b733bf0cc77e3a 11235 polipo_1.0.4-2.diff.gz
2a77dbaae3a0c3a42d5c7436b7fdbc061176a4f9 190834 polipo_1.0.4-2_i386.deb
Checksums-Sha256:
6a2b6f817fd95456b7816745e0d4bc9845b0b2ce79081232800a067ef0bd427c 1665 polipo_1.0.4-2.dsc
ced798555a15a31f8930cea4f4431f7928e5ab5904354278a1439de3c6b121d3 11235 polipo_1.0.4-2.diff.gz
0a69d41929aa3b14681070d441075ad92d7eb011a42e1710a3328ff20a851737 190834 polipo_1.0.4-2_i386.deb
Files:
7e9a3475a5e49a1e5061898fa8ac99ba 1665 web optional polipo_1.0.4-2.dsc
0f3e70bee762b43716161553e1ca9f8b 11235 web optional polipo_1.0.4-2.diff.gz
bef6b3786ff0e6105dd3ef0047ccbf60 190834 web optional polipo_1.0.4-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJLYElvAAoJEDEBgAUJBeQMiBoQAKVYopiC8WQD1SQsmrm6IQMn
zeqDJ6uQDQ/5XsH6LUB9/8TW3nEuRJr+AeYbi+VXtdwCeN6I7Hf3voGm+hWfMKte
V+bAEkyJWnlgEcW8zJeUctekcJlG/9OQyk67q660eZJ1MRv2RToRxYCz9wUs77Le
cIoGhKCxsPknBMwmiv001o9gfnhGpU88KOkDrVwAW1h8XeSnDtEzcOSVWHhtxSLc
ZwijAut2z2raANxUaV+Q71NNjqF4H0rAfjgr4iL7Fppe1idDYozVNyNlZ1lVyxFx
X5So+DDaNl1CmCgJZeEhUNi7UMhAyfjldaskf6hfGCpbDZRomnxlM36mdVdDy1sG
JsI0+fbIoqygPTXaT++apFvIaX4BcT0FhmRbw9SnYrmoXjW6Tj+S46b3uOkv8myX
Z98rXHf+RLePjoOzAm93sLqF0fFzYEfYnJrGB6J69qHpk7NZ0qQxcoUorfo6fJy0
UtaCxEqeEAcWMVjfa5Kyuaa/BjZAoTFe65L7uUGKiJqG1mqzw7TCNRLspr8JF/yU
NCriOPJ58sNC0Q2c/RZVMxqvjDUxSopDJhzEUZDU/0CGNS8f56v+l2hWbCmALdh+
FUJFMC7aaujLVPxZuuTLzQeoX0WiUnDW1lFCiKRpbplsntkwgBROMLiz4SA5Jqjf
gELtCdbJTPdi4Qj22hl2
=SR5u
-----END PGP SIGNATURE-----
Reply sent
to Stefan Fritsch <sf@debian.org>
:
You have taken responsibility.
(Fri, 19 Feb 2010 20:00:07 GMT) (full text, mbox, link).
Notification sent
to Raphael Geissert <geissert@debian.org>
:
Bug acknowledged by developer.
(Fri, 19 Feb 2010 20:00:08 GMT) (full text, mbox, link).
Message #25 received at 560779-close@bugs.debian.org (full text, mbox, reply):
Source: polipo
Source-Version: 1.0.4-1+lenny1
We believe that the bug you reported is fixed in the latest version of
polipo, which is due to be installed in the Debian FTP archive:
polipo_1.0.4-1+lenny1.diff.gz
to main/p/polipo/polipo_1.0.4-1+lenny1.diff.gz
polipo_1.0.4-1+lenny1.dsc
to main/p/polipo/polipo_1.0.4-1+lenny1.dsc
polipo_1.0.4-1+lenny1_i386.deb
to main/p/polipo/polipo_1.0.4-1+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 560779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated polipo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 17 Feb 2010 20:31:37 +0100
Source: polipo
Binary: polipo
Architecture: source i386
Version: 1.0.4-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Denis V. Sirotkin <fechiny@gmail.com>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
polipo - a small, caching web proxy
Closes: 547047 560779
Changes:
polipo (1.0.4-1+lenny1) stable-security; urgency=high
.
[ Stefan Fritsch ]
* Non-maintainer upload by the Security Team.
* Backport various security related bug fixes from upstream git.
* Fix segfault when server sends Cache-Control: max-age without a value
(closes: #547047, CVE-2009-3305).
.
[ Andreas Kirschbaum ]
* Apply upstream commit to fix DoS via overly large "Content-Length"
header; fixes CVE-2009-4413 (closes: #560779)
Checksums-Sha1:
485ac6e4844c157bd4e0ebd56302aa82e694dec6 1042 polipo_1.0.4-1+lenny1.dsc
ba562906d125a6bf72dc36c2d078147d40cf8722 180487 polipo_1.0.4.orig.tar.gz
1808bdf4f47219863d7de6894af2fbab98f93500 13430 polipo_1.0.4-1+lenny1.diff.gz
f253afca3c423bd3b0789db7655f9db6c7662f80 191848 polipo_1.0.4-1+lenny1_i386.deb
Checksums-Sha256:
90a376437eb8e4ccde04e6cb7dc541037c69cf7fdb7a94b236456e853be96e93 1042 polipo_1.0.4-1+lenny1.dsc
f6458a3ab2548280d4f5596f8d5ae60c61ddf7147ee0b3bb2d67b96da49c0436 180487 polipo_1.0.4.orig.tar.gz
b4eaf56b26226f0681df3473271eb5110e4fff6acca549a5160f04e05a9aa8e8 13430 polipo_1.0.4-1+lenny1.diff.gz
9f8c0507255e42052aee2604ee8aeb7fc475f5bc1a83444046cf427722a5bd24 191848 polipo_1.0.4-1+lenny1_i386.deb
Files:
4bb50ed5472fcd6b264cb89816586bbe 1042 web optional polipo_1.0.4-1+lenny1.dsc
defdce7f8002ca68705b6c2c36c4d096 180487 web optional polipo_1.0.4.orig.tar.gz
4cc90f3327e4018c56b4e140cbcb2f46 13430 web optional polipo_1.0.4-1+lenny1.diff.gz
33af29a3f9e091dd6437fc3f3bfccab9 191848 web optional polipo_1.0.4-1+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD4DBQFLfE0tbxelr8HyTqQRAmmRAJ47Hx4C3QUud/up/BzZhk8sVS4ajgCY46fY
eeuA08NSfFby46IUIzFbbQ==
=6XhM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 27 Jun 2010 07:41:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:44:38 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.